Incident Response & Breach Response Plan

This Incident Response & Breach Response Plan explains, at a public level, how Leasily responds to suspected security incidents, privacy incidents, unauthorised access, mistaken disclosures, provider incidents, and eligible data breaches.

This document is a public summary. Internal investigation steps, security tooling, credentials, and sensitive operational details are not published.

An incident may include unauthorised account access, accidental disclosure, lost or exposed credentials, unauthorised data export, provider compromise, payment workflow misuse, suspicious platform activity, malware, vulnerability exploitation, or loss of personal information.

When Leasily becomes aware of a suspected incident, we aim to triage the report, preserve relevant evidence, contain the issue, assess affected systems and data, reduce ongoing risk, communicate with relevant providers, and remediate the underlying cause where practical.

The exact response depends on the incident type, severity, affected users, affected records, provider involvement, legal obligations, and whether law enforcement, regulators, Stripe, banks, or other third parties need to be involved.

Where an incident involves personal information, Leasily assesses whether it is likely to result in serious harm and whether it may be an eligible data breach for the purposes of the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme.

Assessment may consider the type and sensitivity of information, whether it was protected, who may have accessed it, likely harm, containment steps, and whether remedial action has reduced the likelihood of serious harm.

If notification is required, Leasily aims to take reasonable steps to notify affected individuals and, where required, the Office of the Australian Information Commissioner. Notifications may describe what happened, what information was involved, recommended protective steps, and how to contact us.

We may also notify users, partners, providers, payment processors, regulators, law enforcement, or other parties where reasonably necessary to contain, investigate, remediate, or comply with law.

Users and partners must promptly tell Leasily about suspected unauthorised access, mistaken disclosure, exposed credentials, suspicious payment activity, or other security issues affecting Leasily data or accounts.

Partners with API, portal, webhook, white-label, or referral access must cooperate with incident investigation, containment, affected-user notices, credential rotation, and remediation where their systems or users are involved.

After a material incident, Leasily may review root causes, update controls, rotate credentials, change workflows, restrict accounts, improve monitoring, update public policies, or take other remediation steps.

Report suspected security, privacy, or breach issues to info@leasily.com.au with enough detail for us to investigate. If the report involves urgent account compromise, include the affected email address, approximate time, and the suspicious activity observed.